Hello Guys..On wildhacker I have written many tutorial about How to hack email account passoword using Keylogger and many other method like phishing etc. I have also written article on Website Hacking.
But today in this article, I am going to share with you some things different than previous articles which I found while surfing the web.
You might be interested in some of our other articles:
Don’t forget to Subscribe to our RSS feed
There was nothing special about this spam but the link with a double extension file named “you.jpg.exe” was something worth investigating. So out of curiosity, I downloaded the file and checked out what it does. First thing I did was to find out what the file really was. Of course, it was not an image file of Obama but rather a self-extracting RAR file.
Opening the file through a RAR extracting tool revealed the files inside it.
I extracted “you.jpg.exe” and inspected each of the files inside it but found they were actually encoded. So I run “you.jpg.exe” in our test machine and observed. When run, the image below popped up. Hmmm, definitely not Obama.
In the background, the following files were installed in the Windows System32 folder:
Googling for the dropped files gave me a hint that what was installed was a keylogger and in particular a commercial version from Blazing Tools called Perfect Keylogger (PK). This keylogger program can be legitimately purchased and used, ostensibly for monitoring your kids’ or employees’ browsing habits, etc. As you can imagine, PK can also be used for badness. I almost ended the analysis here. But a moment later, more interesting stuff appeared. The keylogger connected to a remote FTP server, and this allowed me to intercept the attacker’s FTP credentials.
Using the intercepted credentials, I logged in to the FTP server and found many folders containing monitoring logs and screenshots of victim’s desktop. That number of logs shows just how effective the spammer’s social engineering trick was.
Here is the WHOIS info of the FTP server:
Not wanting to stop here, I did a little more investigation on the PK installation files in my hope to uncover who was behind the campaign. According to PK’s Online Help webpage, the program uses a hotkey to unhide the admin window or the system tray icon. The default hotkey combination is CTRL+ALT+L, but this didn’t work. So brute forcing different hotkey combinations enabled me to retrieve the correct hotkey. But to my dismay, this window popped up:
Before getting dirty by reverse engineering the keylogger and trying to crack the password, I scrounged around the net for more clues. I found a personal, In his blog, he noted that the password and other configurations were stored in an encoded file named PK.BIN, and the monitored data is stored in an encoded file named BPK.DAT. He also noted that the files can be decoded with a simple XOR using the key 0xAA. I supposed that the PK version that Chris analysed was an older version, hence the XOR key 0xAA didn’t decode our configuration file. Well, for the dump file BPK.DAT, the XOR key partially worked, but to make it more readable I XORed it using two bytes 0xAA, 0x00:
But I was more interested in the file PK.BIN, because it stores the configuration details of the keylogger including perhaps the details of the attacker. But the file needed some extra work because of the fact that it can’t be decoded by simply XORing it with 0xAA. So my best guess was that it used a different XOR key. This is what the file looks like in text mode, hhmmm look at that repetitive pattern!
In HEX mode, I took that repetitive string and made it our XOR key:
With the help of some python script, it helped me decode the file:
And voila! (note: I needed to blur some details to protect the victim’s data in the FTP server)
The decoded PK.BIN shows enough details to get inside the PK admin panel, including the keylogger's admin password, FTP server/credentials, PK license name and license key. I typed in the admin password and it was successful, giving me more understanding about what the attacker is capturing and more of his keylogger configuration.
In the configuration file, it revealed the name Charles Onuigbo as the PK license name.
Now, I don’t conclude that Charles Onuigbo is the attacker or indeed if he is a legitimate person. The only thing interesting about the name is that it appears to be fairly common in Nigeria, the home of email scams!
I have reported the FTP site to its ISP through abuse email, and am looking forward to this site being taken down ASAP.
Credit: blog.spiderlabs.com
But today in this article, I am going to share with you some things different than previous articles which I found while surfing the web.
- Premium Link Generator Wupload
- How to hack and crack IDM
- How To Setup Port Forwarding Using Utorrent
- Password Hacking : Sniperspy keylogger For Mac Operating System
- Premium Link Generator Wupload
- How to hack and crack IDM
- Facebook, Hotmail, Gmail Passowrd hacking through Winspy Keylogger
- Remote Password Hacking Software - Sniperspy keylogger
- How To Hack Password Through Mobile
Don’t forget to Subscribe to our RSS feed
Hacker News | Pwning a Spammer's Keylogger
Recently, while scrounging around our spam traps, I spotted this ordinary piece of malicious spam. It uses a very simple social engineering trick, speculating about Obama’s sexual orientation and a link to a supposed picture to prove it.There was nothing special about this spam but the link with a double extension file named “you.jpg.exe” was something worth investigating. So out of curiosity, I downloaded the file and checked out what it does. First thing I did was to find out what the file really was. Of course, it was not an image file of Obama but rather a self-extracting RAR file.
Opening the file through a RAR extracting tool revealed the files inside it.
I extracted “you.jpg.exe” and inspected each of the files inside it but found they were actually encoded. So I run “you.jpg.exe” in our test machine and observed. When run, the image below popped up. Hmmm, definitely not Obama.
In the background, the following files were installed in the Windows System32 folder:
- bpk.dat
- bpk.exe
- bpkhk.dll
- bpkr.exe
- inst.dat
- pk.bin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bpk = <%windir%\System32\bpk.exe>
Googling for the dropped files gave me a hint that what was installed was a keylogger and in particular a commercial version from Blazing Tools called Perfect Keylogger (PK). This keylogger program can be legitimately purchased and used, ostensibly for monitoring your kids’ or employees’ browsing habits, etc. As you can imagine, PK can also be used for badness. I almost ended the analysis here. But a moment later, more interesting stuff appeared. The keylogger connected to a remote FTP server, and this allowed me to intercept the attacker’s FTP credentials.
Using the intercepted credentials, I logged in to the FTP server and found many folders containing monitoring logs and screenshots of victim’s desktop. That number of logs shows just how effective the spammer’s social engineering trick was.
Here is the WHOIS info of the FTP server:
Not wanting to stop here, I did a little more investigation on the PK installation files in my hope to uncover who was behind the campaign. According to PK’s Online Help webpage, the program uses a hotkey to unhide the admin window or the system tray icon. The default hotkey combination is CTRL+ALT+L, but this didn’t work. So brute forcing different hotkey combinations enabled me to retrieve the correct hotkey. But to my dismay, this window popped up:
Before getting dirty by reverse engineering the keylogger and trying to crack the password, I scrounged around the net for more clues. I found a personal, In his blog, he noted that the password and other configurations were stored in an encoded file named PK.BIN, and the monitored data is stored in an encoded file named BPK.DAT. He also noted that the files can be decoded with a simple XOR using the key 0xAA. I supposed that the PK version that Chris analysed was an older version, hence the XOR key 0xAA didn’t decode our configuration file. Well, for the dump file BPK.DAT, the XOR key partially worked, but to make it more readable I XORed it using two bytes 0xAA, 0x00:
But I was more interested in the file PK.BIN, because it stores the configuration details of the keylogger including perhaps the details of the attacker. But the file needed some extra work because of the fact that it can’t be decoded by simply XORing it with 0xAA. So my best guess was that it used a different XOR key. This is what the file looks like in text mode, hhmmm look at that repetitive pattern!
In HEX mode, I took that repetitive string and made it our XOR key:
With the help of some python script, it helped me decode the file:
if len(sys.argv) > 1:
pkhandle = open(sys.argv[1],'rb')
pkbuffer = pkhandle.read()
pkhandle.close()
key=[0x0D,0x0A,0x08,0x05,0x01,0x02,0x06,0x03,0x03,0x0E,0x01,0x08,0x03,0x0C,
0x09,0x07,0x05,0x0D,0x0C,0x0B,0x03]
dec = ''
ctr = 0
for i in range(11,len(pkbuffer)):
a= ord(pkbuffer[i])
b =key[ctr%len(key)]
x = a^b
dec = dec+(chr(x))
ctr+=1
dechandle = open('pk.dec','wb')
dechandle.write(dec)
dechandle.close()
And voila! (note: I needed to blur some details to protect the victim’s data in the FTP server)
The decoded PK.BIN shows enough details to get inside the PK admin panel, including the keylogger's admin password, FTP server/credentials, PK license name and license key. I typed in the admin password and it was successful, giving me more understanding about what the attacker is capturing and more of his keylogger configuration.
In the configuration file, it revealed the name Charles Onuigbo as the PK license name.
Now, I don’t conclude that Charles Onuigbo is the attacker or indeed if he is a legitimate person. The only thing interesting about the name is that it appears to be fairly common in Nigeria, the home of email scams!
I have reported the FTP site to its ISP through abuse email, and am looking forward to this site being taken down ASAP.
Credit: blog.spiderlabs.com
Filed Under: MISCELLANEOUS
If you enjoyed this post and wish to be informed whenever a new post is published, then make sure you subscribe to my regular Email Updates.
Subscribe Now!
Do you need to know what your child is doing on the computer? Do you want to know what your loved ones or spouse or kids are doing on the computer? Do you need to monitor what your employees are doing during work hours? Are they working or playing?
Winspy Keylogger
is intended to help you in these kind of situations. It can show you exactly what is being done on the computer at any time.
Click Here To Download Winspy Keylogger
